On 7/3/06, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> it is not a rule.
OK, not a rule, but still shouldn't it be possible or useful to see that
in effect? If you make changes for testing or what not and you use this
temporary, etc on a box of 10+ interfaces, just my thinking, but I was
expecting to see this in display of how the pf was working.
Yes it might be stupid to forget to remove it or what ever, but if you
do check the active rules to see what's in action and skip doesn't show
up there, one might think all is good and don't check the details
configuration to see if that would be there or not.
Just a thought.
Someone might put this in effect and then an other admin check the
rules, don't see it and think all is good and look else where just to
find out after many hours that this set skip is bypassing the
configurations.
May not be a rule, but still have effect in the working configuration.
Doesn't it make sense to see it?
Indeed it does, but not by hacking up `-s rules`. pfctl(8) lists all
the various things you can display with -s. 'options' (as per
pf.conf(5)) do not seem to be among them, however, which I agree is
unfortunate. It also doesn't help that the manpage say, next to, -s
Rule:
"Note that the ``skip step'' optimization done automatically by the
kernel will skip evaluation of rules where possible." which seems to
imply that `-s rules` has something to do with `set skip`.
I don't know a lot about the architecture of pf (I plan to learn soon
though) so maybe this is completely stupid, but I suggest adding modes
for `pfctl -s` to match everything listed in pf.conf(5).
-Nick
